linuxmint 18.2 connect issue with VyOS as server

[mandeler]

When connecting from Linuxmint 18.2 to VyOS l2tp/ipsec server;(3des-sha1-modp-1024/3des-sha1). The connection failed. Version:

network-manager-l2tp ----> 1.2.8-1~ubuntu16.04.1~ppa1

xl2tpd ----> 1.3.6+dfsg-4ubuntu0.16.04.1

strongswan-ike ----> 5.3.5-1ubuntu3.5

L2tp installed using compiling, strong swan installed from linuxmint package market; Run "sudo /usr/lib/NetworkManager/nm-l2tp-service --debug", and you can get the information below.

1. Strong swan ipsec tunnel is created.
2. "pppd timeout. looks like pppd didn't initialize our dbus module" After quite a lot of time searching, I disabled xl2tpd and manually filled in the Advanced config of VPN setting. But won't work. Then I saw a blog talking about the ubuntu l2tp server iptables issue. Then I go ahead and check my configuration in VyOS. And find that fro udp port 1701, there is a config "set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec'". After I deleted this line, my client can finnally connect to my VyOS server. I can not figure out why because My phones(Android and Iphone) and Windows can all connect without issue.

[dkosovic]

When you say you disabled xl2tpd, can you confirm xl2tpd was stopped when you did the testing? As disabling will just prevent it from starting at the next boot, but won't stop the current running xl2tpd. I did write a bit about not stopping xl2tpd in the README.md file :

• https://github.com/nm-l2tp/network-manager-l2tp#issue-with-not-stopping-system-xl2tpd-service

As mentioned in the README.md file, for RFC3193 it is acceptable that the source port isn't 1701, so the source and destination ports don't need to match like in that firewall rule. Earlier versions of Windows had L2TP/IPsec clients that used an ephemeral port.

[dkosovic]

You might want to configure VyOS to offer more than just the Win2K/XP era broken IPsec algorithms for the proposals, as a bonus strongswan and libreswan clients won't need to be configured to add the Phase 1 and 2 algorithms for the proposals in the IPsec advanced settings. There is more about it in the README.md file.

I think the VyOS IKE (phase 1) and ESP (phase 2) configuration would be something like :

set vpn ipsec ike-group TestIKE proposal 1 encryption aes128
set vpn ipsec ike-group TestIKE proposal 1 hash sha256
set vpn ipsec ike-group TestIKE proposal 1 dh-group 14

set vpn ipsec ike-group TestIKE proposal 2 encryption 3des
set vpn ipsec ike-group TestIKE proposal 2 hash sha1
set vpn ipsec ike-group TestIKE proposal 2 dh-group 2

set vpn ipsec esp-group TestESP proposal 1 encryption aes128۪
set vpn ipsec esp-group TestESP proposal 1 hash sha256

set vpn ipsec esp-group TestESP proposal 2 encryption 3des
set vpn ipsec esp-group TestESP proposal 2 hash sha1

the list of encryptions, hashes and dh-groups can be found here:

• https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

[mandeler]

Hi, dkosovic, sorry for the delay of response.Thank you for your replying. 1.I did check the stopping of xl2tpd because I disabled the service and stopped it the same time. Also I think the p1 and p2 algorithm is not the cause of former issue because by default VyOS will allow different combinations of p1/p2 algorithms. And the firewall configuration is to allow any source port to 1701 destination port, which in my case is the listening port of vpn service. 2.To make it brief, just as what is written in the first place, after I deleted "set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec" in VyOS, Eerything goes fine. I don't know the true reason or mechanism behind this, but this deletion works when it comes to VyOS. Just in case anyone else would encounter this problem when referring to VyOS Official Guide to configure l2tp/ipsec vpn.